使用 Microsoft Intune 保护对电子邮件的访问:示例方案Protect access to email with Microsoft Intune: Example scenarios

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

方案 1:阻止用户使用非合规的设备访问 Exchange OnlineScenario 1: Block users from using noncompliant devices to access Exchange Online

方案要求Scenario requirements

  • 如果设备不符合部署的合规性策略,必须阻止“会计”Azure Active Directory 安全组中的所有用户访问 Exchange Online。All users in the Accounting Azure Active Directory security group must be blocked from accessing Exchange Online if their device is not compliant with a compliance policy that you deployed.
  • 如果任何属于此组的用户的设备不受 Intune 支持,则必须阻止这些用户在该设备上访问 Exchange Online。If any users exist in this group whose devices are not supported by Intune, they must be blocked from accessing Exchange Online on that device.
  • “财务”Azure Active Directory 安全组中的用户必须从策略中免除,即使它们也位于“会计”安全组中。Users in the Finance Azure Active Directory security group must be exempt from the policy, even if they're also in the Accounting security group.

为此,请使用以下设置来配置 Exchange Online 的条件性访问:To accomplish this, configure a conditional access policy for Exchange Online with the following settings:

  • 选择“启用条件访问策略”。Choose Enable conditional access policy.

  • 选择想要允许从使用新式验证的应用访问的平台。Choose the platforms that you want to allow access from apps with modern authentication.

  • 对于 Exchange ActiveSync 应用,请选择“阻止受 Microsoft Intune 支持的平台上的非合规设备”和“阻止不受 Microsoft Intune 支持的平台上的所有其他设备”。For Exchange ActiveSync apps, choose Block noncompliant devices on platforms supported by Microsoft Intune and Block all other devices on platforms not supported by Microsoft Intune.
  • 在“目标组”部分的“所选安全组”下,选择“会计”用户组。In the Targeted group section, under Selected security groups, choose the Accounting user group.

  • 在“免除组”部分的“所选安全组”下,选择“财务”用户组。In the Exempted group section, under Selected security groups, choose the Finance user group.

本方案中使用以下流程决定哪些设备可以访问 Exchange Online:The following flow is used in the scenario to decide which devices can access Exchange Online:

设备访问流程

方案 2:访问 Exchange 内部部署的所有 iOS 设备必须由 Intune 进行管理Scenario 2: All iOS devices that access Exchange on-premises must be managed by Intune

方案要求Scenario requirements

  • 仅应允许运行 iOS 的设备访问 Exchange 内部部署。Only devices that run iOS should be allowed access to Exchange on-premises.
  • 设备还必须在 Intune 中注册,并满足合规性策略规则才可用于访问 Exchange。The devices must also be enrolled in Intune and meet the compliance policy rules before they can be used to access Exchange.

为此,请使用以下设置来配置 Exchange 内部部署的以下条件性访问策略:To accomplish this, configure the following conditional access policy for Exchange on-premises with the following settings:

  • 选择选项“如果设备不符合要求或未在 Microsoft Intune 中注册,则阻止电子邮件应用访问 Exchange 内部部署”。Choose the option Block email apps from accessing Exchange on-premises if the device is noncompliant or not enrolled in Microsoft Intune. 通过选择此选项,启用条件性访问策略,这要求所有的设备必须在 Microsoft Intune 中注册并且必须首先满足合规性策略规则,然后才能使用它们访问 Exchange。By choosing this option, you enable the conditional access policy, which requires that all devices must be enrolled in Microsoft Intune and meet the compliancy policy rules before they can access Exchange.

  • 对于高级 Exchange Active Sync 设置,请创建一个:For advanced Exchange Active Sync settings, create:

    • 允许运行 iOS 的设备访问 Exchange 的平台异常。A platform exception that allows devices that run iOS to access Exchange.

    • 默认规则,该规则指定当设备不受平台异常规则约束时,应阻止其访问 Exchange。A default rule that specifies that when a device isn't covered by the platform exception rule, it should be blocked from accessing Exchange. 此规则可确保阻止未运行 iOS 的设备访问 Exchange。This rule makes sure that devices that aren't running iOS are blocked from accessing Exchange.

以下流程用于确定哪些设备可以访问 Exchange:You use the following flow to decide which devices can access Exchange:

设备访问流程

方案3:任何 Android 设备均不可访问 Exchange 内部部署Scenario 3: No Android devices can access Exchange on-premises

方案要求Scenario requirements

  • 应阻止所有 Android 设备访问 Exchange。All Android devices should be blocked from accessing Exchange.
  • 所有其他受支持的设备均可访问 Exchange,前提是它们由 Intune 管理。All other supported devices can access Exchange, as long as they're managed by Intune.

为此,请使用以下设置来配置 Exchange 内部部署的条件性访问:To accomplish this, configure a conditional access policy for Exchange on-premises with the following settings:

  • 选择选项“如果设备不符合要求或未在 Microsoft Intune 中注册,则阻止电子邮件应用访问 Exchange 内部部署”。Choose the option Block email apps from accessing Exchange on-premises if the device is noncompliant or not enrolled in Microsoft Intune. 通过选择此选项,可要求任何设备必须在 Intune 中注册并符合合规性策略规则。By choosing this option, you require that any device must be enrolled in Intune and meet the compliance policy rules.

  • 对于高级 Exchange Active Sync 设置,请创建一个:For advanced Exchange Active Sync settings, create:

    • 阻止运行 Android 的设备访问 Exchange 的平台异常。A platform exception that blocks devices that run Android from accessing Exchange. 此规则可确保 Android 设备不能用于访问 Exchange。This rule makes sure that Android devices can't be used to access Exchange.

    • 一个默认规则,指定设备在不受其他规则约束时,应允许访问 Exchange。A default rule that specifies that when a device isn't covered by other rules, it should be allowed to access Exchange. 此默认规则可确保运行 Android 以外的平台,但受 Microsoft Intune 支持的设备可用于访问 Exchange。This default rule makes sure that devices that run platforms other than Android, but are supported by Microsoft Intune, can be used to access Exchange. 但是它们必须在 Intune 中注册并符合合规性策略规则。They must, however, be enrolled in Intune and meet the compliance policy rules.

以下流程用于确定哪些设备可以访问 Exchange:You use the following flow to decide which devices can access Exchange:

设备访问流程

要提交产品反馈,请访问 Intune Feedback